cyradm and allowing only encrypted passwords with 2.3.16?

[Patrick Goetz]

On 10/04/2010 11:07 AM, Dan White wrote:
>
> You can connect via a non plaintext mechanism, like digest-md5.
>

This seems like a straightforward case of RTFM, but how does one 
determine the auth mechanism?  I'm using saslauthd, pam, and have a 
self-signed certificate (which I know works):

---------------------------------
ibis:~~$ cyradm --auth digest-md5 --tlskey 
/etc/ssl/private/ssl-cert-mail.internetbs.com.key localhost
[ unable to get certificate from 
'/etc/ssl/private/ssl-cert-mail.internetbs.com.key' ]
[ TLS engine: cannot load cert/key data, might be a cert/key mismatch]
[ TLS engine failed ]
^C
ibis:~~$


ibis:~ssl$ sudo ls -l /etc/ssl/private
total 8
-rw-r----- 1 root ssl-cert 887 2009-09-13 14:02 
ssl-cert-mail.internetbs.com.key
-rw-r----- 1 root ssl-cert 887 2010-04-11 14:00 ssl-cert-snakeoil.key
ibis:~ssl$ groups cyrus
cyrus : mail sasl ssl-cert
--------------------------------


Maybe the problem is I'm still not 100% clear on how SASL works.

I have saslauthd running with
    MECHANISMS="pam"
    OPTIONS="-c -m /var/run/saslauthd"

However, there's no sasl pam.d config file -- presumably SASL somehow uses
    /etc/pam.d/imap
    /etc/pam.d/lmtp

???  I don't have lmtp running in a chroot jail, which is how I can get 
away with this. smtp does run in a chroot jail, but has it's own 
saslauthd with
   OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

I don't remember anyone mentioning this possibility (running multiple 
saslauthd daemons) in any howto; most people seem to jump through 
inordinate hoops to get all other programs to use the sasl socket in the 
smtp chroot jail, which seems to unnecessarily complicate things.